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[57] ABSTRACT 

A software agent for detecting and removing computer 
viruses located in attachments to e-mail messages. A client- 
server computer network includes a server computer and a 
plurality of client computers. A message system, located at 
the server computer, controls the distribution of e-mail 
messages. An anti-virus module, located at the server 
computer, scans files for viruses. The agent is located at the 
server computer and provides an interface between the 
anti-virus module and the message system. The agent can 
operate both on a real-time basis and at preset period 
intervals. E-mail messages that are sent internally within the 
network can be scanned, e.g., Intranet e-mail messages. In 
addition, e-mail messages received over the Internet can be 
scanned. 

35 Claims, 3 Drawing Sheets 
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ANTI-VIRUS AGENT FOR USE WITH 
DATABASES AND MAIL SERYERS 

FIELD OF INVENTION 

The present invention is directed to a software program 
and interface to detect and remove computer viruses, and in 
particular, to a system and method for detecting and remov- 
ing computer viruses in database file and e-mail attach- 
ments. 

COPYRIGHT NOTICE 

A portion of the disclosure of this patent document 
contains material which is subject to copyright protection. 
The copyright owner has no objection to the facsimile 
reproduction by anyone of the patent document or patent 
disclosure as it appears in the Patent and Trademark Office 
patent file or records, but otherwise reserves all copyright 
rights whatsoever. 

BACKGROUND OF THE INVENTION 

A computer virus is a computer program written to alter, 
without authorization, the way a computer operates, similar 
to a biological virus, a computer virus can reproduce itself 
by attaching to other files. 

To be a computer virus, a program need meet only two 
criteria. First, it is executable, often placing some version of 
its own code in the path of execution of another program. 
Often a computer virus executes itself. Second, it replicates 
itself. For example, a virus program may copy itself to other 
executable files or to disks that the user accesses. Many 
computer viruses attach them selves to other executable 
files. 

Viruses are transmitted when an infected file is copied, 
downloaded or used. Viruses can invade workstations 
(including desktop computers and laptop computers) and 
network servers alike. 

Many viruses, when executed, cause damage to an 
infected computer or network server. Some viruses are 
programmed to damage the computer by corrupting 
programs, deleting files, or reformatting the hard disk. If a 
virus does cause damage, the damage will vary depending 
upon the particular virus infecting the computer. In general, 
viruses can do the following damage to a computer: hang the 
computer, erase files, scramble data on the hard disk, attack 
the File Allocation table, attack the petition table, or format 
the hard disk. 

Other viruses are just nuisances, continually reproducing 
themselves, or outputting text, video or audio messages. 
Even these benign viruses, however, can create problems for 
the computer user because they typically take up computer 
memory used by legitimate programs. As a result, they often 
cause erratic behavior and can result in system crashes. In 
addition, many viruses are bug-ridden, and the bugs may 
lead to system crashes and data loss. 

Personal computer viruses can be classified according to 
how the virus is transmitted and how it infects the computer. 
Boot sector viruses infect the system area of a disk — that is, 
the boot record on floppy diskettes and hard disks. All floppy 
diskettes and hard disks (including disks containing only 
data) contain a small program in the boot record that is run 
when the computer starts up. Boot sector viruses attach 
themselves to this part of the disk and activate when the user 
attempts to start up from the infected disk. Accordingly, boot 
sector viruses overwrite the disk's original boot sector with 
its own code so that the virus is always loaded into memory 
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before anything else. Once in memory, the virus can make 
the startup disk unusable or can spread to other disks. Master 
boot sector viruses overwrite the disk's master boot section 
(partition table) which is the first sector on the hard disk. File 

5 viruses infect other programs when an infected program is 
run. File viruses must be executed in order to become active. 
They do not remain in memory, so they do not infect the 
system. File viruses attach themselves to executable files 
(such as executable files with extensions such as 

10 .COM, .EXE, .OVL, .DLL, .DRV, .SYS, .BIN, and .BAT.) 
These viruses often change the file attribute information and 
the file size, time and date information. Memory resident 
viruses load themselves into memory and take over control 
of the operating system. Like file viruses, memory resident 

15 viruses attach themselves to executable files. Multipartite 
viruses combine the characteristics of memory resident, file 
and boot sector viruses. 

A recent type of virus, the macro virus, is written in the 
macro language of a specific computer program, such as a 

20 word processor or spreadsheet. Thus, a macro virus can 
reside in documents. Macro viruses infect files and can 
become memory resident when executed. They can be run 
when the program document is accessed or triggered by 
certain user actions, such as specific keystrokes or menu 

2 5 choices. Macro viruses can be stored in files with any 
extension and are spread via file transfer, even by e-mail. 
Although in the past documents have not normally been 
infected by the previously discussed types of viruses, any 
application which supports macros that automatically 

30 execute is a potential platform for macro viruses. Because 
documents are now widely shared through networks and 
over the Internet, even more so than the sharing of diskettes 
were in the past, document-based viruses are likely to 
become more prevalent. 

35 Even though the creation of a virus is a deliberate act, 
viruses are usually introduced into computers and corporate 
networks inadvertently when innocent users copy or down- 
load infected files onto the computer or network. 

4Q Traditional anti -virus software is designed to detect and 
remove computer viruses. Viruses are detected by anti-virus 
software in two basic ways: through a full scan of a hard 
drive or in real-time as each file is accessed. Most anti-virus 
software provide both these features. Additionally, anti-virus 

45 programs can be instructed to scan one or more user-selected 
files or directories of files. 

Full and real-time scans detect known viruses using 
signature codes (like virus fingerprints) which identify a 
program as a virus. Some anti-virus software also use 

50 advanced techniques (such as polymorphic detection) to 
identify potential viruses and check memory and system 
files for viruses. 

Existing anti-virus products work fine when floppy disks 
are the main instruments for importing data into a comput- 

55 er's memory. However, in recent years, electronic transfers 
have become a common way to exchange data in electronic 
form. Not surprisingly, electronic transfers also have 
become a major virus threat. Existing anti-virus technology 
does not safeguard against all possible methods by which 

50 viruses can be introduced into and spread within a computer 
network. 

Many corporations have computer networks to allow 
sharing of programs and data and for exchanging messages. 
With networking, enterprise computing and intra- 
65 organizational communications on the increase, (e.g., using 
client- server networks and peer-to-peer networks, local area 
networks and wide area networks) viruses can easily spread 
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throughout the organization's computer system, infecting virus checking. Thus, e-mails received from outside the 

many computers. And because data exchange is the very network are first scanned prior to entry into the system post 

reason for using these solutions, a vims on one computer in office. (ScanMail is said to protect an internal LAN by 

the enterprise is far more likely to communicate with and intercepting and isolating viruses at the cc:Mail Post Office 

infect other computers than would have been true a few 5 before the virus reaches a workstation.) However, this 

years ago. Moreover, many intra-organizational networks architecture does not enable the scanning of Intranet e-mail 

have electronic links to external computer networks (such as messages. Messages that are sent and received internally 

the Internet, proprietary online services and bulletin boards). never reach the proxy post office and so are never scanned. 

Such links enable electronic data and computer programs Accordingly, users may transmit viruses via e-mail inter- 

(including those that may be infected with a computer virus) 1Q nally within the organization. ScanMail is incapable of 

to be introduced into the organization's network. (According detecting viruses in e-mail attachments that originate within 

to the National Computer Security Association (NCSA), and stay within a LAN. 

over 70% of corporate networks are virus infected.) Expo- Another product that purports to scan for attachments to 

sure to virus transmission from network node to node is a e-mail is InterScan VirusWall distributed by Trend Micro 

costly threat to enterprise data integrity as well as produc- 15 Devices, Inc. When installed on a UNIX Internet gateway, 

tivity. InterScan Virus Wall is intended to intercept and scan e-mail 

Of particular concern in relation to the transmission of attachments, FTP transfers, World Wide Web downloads and 

computer viruses is electronic mail (e-mail). There is a uploads and transfers of data between in-house PCS or 

growing use of e-mail to communicate within an organiza- LANs and the outside world. InterScan VirusWall consists 

tion (e.g., using a local area network) and to communicate 20 of an FTP proxy server for gateway traffic and a Simple Mail 

externally (e.g., over the Internet with computer users Transfer Protocol (SMTP) proxy server for e-mail. As with 

located at remote locations). E-mail messages may include the ScanMail application, the InterScan VirusWall program 

attached files containing, for example executable programs, is only capable of scanning e-mail attachments that pass 

formatted documents, sound, video, etc. It will be appreci- through the Internet gateway; it is incapable of scanning 

ated that an attachment to an e-mail message may contain a 25 e-mail attachments that are being transferred internally 

file infected with a computer virus. Thus, for example, an within the LAN. Furthermore, since the InterScan applica- 

e-mail message received over the Internet may contain as an tion runs on the gateway and scans individual packets, it 

attachment a Microsoft Word document infected with a may not be sufficiently efficient to detect polymorphic 

Word Macro virus; an e-mail message broadcast on the local viruses or compressed files if the files are larger then one 

area network by a project manager to her many team 30 packet size on the network. 

members may contain an attachment also infected with a A product called Antigen distributed by Sybari transfers 

virus. e-mail attachments to a third party virus scanner for detec- 

Because any type of file may be attached to an e-mail tion of virus. However, Antigen is incapable of reattaching 
message, it is often difficult for virus protection software to the e-mail attachment back to the e-mail message if a virus 
determine how to handle the attachment. Further, typical 35 is discovered and cured. Although the Antigen software will 
e-mail systems store all e-mail messages on a mail server in provide the third party software with the e-mail attachment, 
proprietary file formats, regardless of the format of the the attachment inside the system will remain infected 
attached file. All messages received by one user may be because there is no integration between the Antigen software 
stored as a single file, e.g. "inbox.msg", on a central mail and the third party software to enable the third party soft- 
server. Moreover, some e-mail programs use proprietary 40 ware to cure the virus in the e-mail attachment, 
encryption. It is said that scanning e-mail attachments from Some virus detection programs for e-mail programs oper- 
inside a LAN is very difficult because e-mail programs like ate on the client side and scan e-mail messages sent to a user 
cc:mail, Microsoft Exchange and Davinci encrypt e-mail for whenever the user opens his or her mailbox. Such a system 
privacy reasons. Thus, the formats, algorithms and data has a number of inefficiencies. The virus detection program 
structures used by e-mail programs make it difficult to 45 must be loaded onto each client computer; thus if there are 
develop anti-virus programs that prevent the spread of 250 workstations, the virus detection program must be 
viruses in e-mail attachments. loaded 250 times. If one workstation is missed, a virus may 

It is an important goal of anti-virus programs to detect a not be detected. Further, the scanning takes place on a 

virus as soon as possible, before damage is done or the virus deferred basis when the user opens his or her mailbox. If the 

is distributed to infect other computers. Many virus detec- 50 user is an infrequent e-mail user, then many messages may 

tion programs, for example, do not scan outgoing e-mail need to be scanned on opening of the mailbox. Infected 

messages for viruses, thus allowing the potential spread of e-mail messages may reside undetected for long periods in 

a virus to other computers. Commonly used anti-virus unopened mailboxes, and possibly be spread to other users 

program do not scan draft e-mail messages that are created by means of automated rules that automatically forward 

but not sent (i.e., an e-mail message created and stored for 55 received e-mail meeting certain characteristics, 

later editing and/or sending). Virus detection software Accordingly, there is a need for a computer program that 

directed to e-mail may only scan certain e-mail attachments can scan and remove computer viruses in e-mail 

on the happening of certain determined events. Thus, there attachments, without causing detriment to the attachment to 

is a need to detect viruses at any and every time a virus the e-mail message, for all e-mail messages, including 

possibly may enter or spread within an e-mail system. 60 e-mail messages that are internal within the system (e.g., 

Several products claim to scan for viruses in attached between users on the same mail server), that are sent over or 

e-mail files. For example, "ScanMail for cc:Mail" distrib- received from an external e-mail system, or are drafted and 

uted by Trend Micro Incorporated, can scan e-mail attach- stored in the e-mail server but are never sent, 

ments received over the Internet. This program is a proxy There is an additional need for a centralized system for 

type software that replaces the original post office with its 65 scanning e-mail messages for viruses that does not require 

own proxy post office (where virus checking takes place) anti-virus software to be loaded on all workstations in a 

and routes clean e-mail to the original e-mail post office after network. 
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SUMMARY OF THE INVENTION 

In the representative embodiment, the present invention is 
a software program (called herein the agent) used in con- 
junction with an ti -virus software to detect and remove 
computer virus that may be in e-mail attachments. 

The agent computer program of the present invention 
detaches the e-mail attachment from the e-mail message, 
causes it to be scanned for computer viruses (and if required, 
causes any detected computer viruses to be removed), and 
then reattaches the attachment back to the e-mail message. 
The present invention operates correctly for all e-mail 
messages, including (a) e-mail messages that are internal 
within the system (called herein Intranet e-mail), (b) e-mail 
messages that are sent over or received from an external 
e-mail system (called herein Internet e-mail), and (c) e-mail 
messages that are drafted and/or stored in the e-mail system 
and are yet to be sent. 

It will be appreciated that the agent of the present inven- 
tion operates from within the mail system, rather than as a 
firewall or proxy post office, enabling Intranet e-mail attach- 
ments to be scanned. 

Accordingly, the present invention will ensure that all 
e-mail messages will be scanned to protect the internal 
e-mail system. 

Moreover, once a virus is detected and removed from the 
attachment, the attachment is still a useful part of the e-mail 
message and can be handled by the e-mail system as normal 

Advantageously, the present invention operates on the 
server side rather than at the client side. Thus, the agent need 
only be loaded once, at each mail server, rather than on each 
workstation or PC of the network. Further, e-mail messages 
can be scanned and disinfected regardless of the user's 
e-mail use. Thus, if the user is on vacation and receives 
many e-mail messages, some infected with viruses, these 
will be scanned and disinfected so that upon the user's 
return, his or her mailbox will contain only virus-free e-mail 
messages. 

The efficiency of such an approach can be seen when 
analogizing with real world mail delivery. If one wished to 
scan all letters that are mailed for bombs, it is more efficient 
to have a scanning machine at the central mail exchange that 
continuously scans all letters as they are sorted, rather than 
having a scanning machine at each person's home that scans 
once a day after the letters are delivered. 

In the representative embodiment, the agent browses 
through any attachments to e-mail messages that originate 
within the client network or are received from an external 
network, detaches any such attachments from the database 
or mailbox, and sends these attachments to an integrated or 
stand alone anti-virus application. The agent can reattach the 
attachment to the e-mail message after treatment by the 
anti-virus application. 

Additionally, the agent of the present invention can oper- 
ate at the server level, thus centralizing virus detection 
operations. E-mail for a user can be scanned for viruses 
without the need for the user to login to the network. Further, 
the scanning of e-mail attachments can take place on a 
regular, periodic basis, rather than merely upon the sending, 
receiving or reading of the e-mail message. 

The present invention provides an application program 
interface that can be centrally administered from a network 
server and that need not be installed at every workstation 
connected to the centrally administered server. 

The agent of the representative embodiment is designed to 
be generic to and compatible with many e-mail and database 
systems. 



2,208 

6 

In addition to scanning on a periodic basis, the present 
invention includes real-time scanning capabilities that will 
scan e-mail attachments for viruses upon receipt of a new 
e-mail message. 
5 These and other advantages and features of the present 
invention will become readily apparent to those skilled in 
the art after reading the following detailed description of the 
invention and studying the accompanying drawings. 

10 BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram of a network architecture on 
which the present invention can operate. 

FIG. 2 is a diagram of modular communications between 
15 the present invention and an e-mail system. 

FIG. 3 is a flow chart detailing the operation of the present 
invention. 

DETAILED DESCRIPTION 

20 Referring now to the drawings, and initially FIG. 1, there 
is illustrated a computer network being a local area network 
(LAN) 100 that is configured to run an agent program 110 
of the present invention. 

25 As described herein, the present invention operates on a 
local area network having a client/server architecture. 
However, the present invention is not limited to such a 
network or architecture, and can, for example, easily be 
adapted to run on, for example, a peer-to-peer network or 

3Q wide area network. Further, the agent program can be 
integrated into or created as part of other programs, such as 
network operating systems, e-mail programs and/or virus 
detection programs. 

The network 100 comprises a server 20, a plurality of 

35 personal computers (PC) 10 and workstations 30, and an 
Internet gateway 40, all of which are coupled together via 
communication line 15. As stated above, this network con- 
figuration is merely illustrative as an example of the type of 
network architecture that is capable of running the agent of 

40 the present invention. The server 20 and the personal com- 
puters 10 may be programmed to run a particular e-mail or 
database programs, such as the Lotus Notes program or the 
Microsoft Exchange program. Each personal computer typi- 
cally includes an input device 16 (e.g., keyboard, mouse, 

45 etc.), an output device 12 (e.g., a monitor), a processor 13 
and a memory 14; likewise, workstation 30 may also include 
an output device 32, an input device 36, a processor 35 and 
a memory 34. 

Further, gateway 40 provides the network 100 with access 

50 to an external computer network, such as, for example, the 
Internet 42. The agent 110 of the present invention is 
configured to be compatible with both the e-mail and the 
database applications that are provided to server 20. 
For the purpose of clarity of description, in the example 

55 used herein, the agent 110 of the representative embodiment 
of the present invention is intended to scan attachments to 
files and messages generated within, sent from or received 
by the Lotus Notes program. For convenience, the term 
" e-mail message" will be used to describe all types of files, 

60 messages, broadcasts and communications used within, sent 
from or received by a mail server, such as, for example, the 
Lotus Notes program, or a database program that allows for 
attachments. The agent 110 of the present invention can also 
operate with other network mail and database programs that 

65 allow for e-mail message attachments such as, for example, 
Microsoft's Exchange program, Lotus's cc:mail, and 
BeyondMail. Additionally, the agent 110 can operate with 
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public folders and public forums (e.g., areas where one user 255). After step 255, the agent 110 determines if the entire 
posts a message capable of being viewed by all other users.) mail system 140 has been scanned (step 260). If so, then the 
FIG. 2 illustrates the software components that, in the process has reached an end (step 230). If the entire mail 
representative embodiment, are executed by server 20. The system 140 has not been scanned, then the agent 110 
representative application executed by the server 20 for the 5 proceeds to the next e-mail message (step 235). 
purpose of illustration is the Lotus Notes program. A Lotus if the infected attachment is not to be deleted in step 250, 
Notes server program 130 is configured within server 20 to then the anti-virus application 120 cures the infected attach- 
transmit and receive files and e-mail messages from and to mcn t if possible (step 270). If cured, the attachment is then 
the various other nodes in LAN 100, including Internet reattached (step 220), and the agent 110 proceeds to the next 
gateway 40. One or more databases 140 (herein a Lotus 1° e-mail message, if any. The agent 110 is capable of process- 
Notes database 140) stores the e-mail messages that have ing e-mail messages that originate within LAN 100 
been received, sent, drafted or stored. (In Lotus Notes, every (including Intranet e-mail messages) or that enter LAN 100 
database is treated as a file.) Attachments to the e-mail from the Internet through gateway 40 (Internet e-mail 
messages are stored along with such messages in the Lotus messages). 

Notes database 140. The mail [server 130 and the database ^ ^ InocuLAN m 120 ^ ^ ified mdividu . 

140 together can be regarded as a message system. The ^ ^ ^ e . majl m of yia ch n6 Software, Inc.'s 

nodes ot the network (e.g., 1U, 3d, may include client-side ^ Generic Notmcation 

system to warn users so as to stop 

mail programs that, interacting with the mail server 130 ^ ^ ^ di ^ InocuLAN ^ Scannct and 

allow a user to create, read, send, store and edit e-mail ^ Job Servke WQrk conjunctively ^ the agent uo to 

messages. perform virus scanning and curing within the message 

An anti-virus application 120 scans files for viruses and system and to ensure a virus free environment, 

can remove viruses from any infected file. In the rep resen- _ „ ,. , .. . ... c 

tative embodiment, the anti-virus application 120 is the A J^ 0 , 110 ™^ IS a P* ud ?" cofc description of a ibrary ■ of 

InocuLAN program, available from Cheyenne Software, mat canbe ^ to m P e ft ment ^ } 10 

Inc. of Roslyn Heights, N.Y. The InocuLAN program can be 25 f res f m invention. The agent 110 can be regarded as a high 

, j - • t » j i 1., a i 1 level, generic library of APIs, lne agent 110 of the repre- 

reearded as comprising two submodules, namely a local \ & . „ J . . . & . . , t y . 

_ , , A n ? u Tim T« rt ^,T a m sentative embodiment can be used in conjunction with both 

scanner module and a job service module. Irie InocuLAN . VT , w . . _ . J 

j tU • t o f ,1 an the Lotus Notes and Microsoft Exchange programs, lne 

program is used as the user interface for the agent 110, e.g., * * * Microsoft 

to set the times when a scan is to take place and to report !? e ° l uu u ' u T lze * me A w?£i V -T- set me Microsott 

results of scans 30 Exchange API set and MAPI to assist in its functions, e.g., 

e .. to browse, detach and re-attach the e-mail attachment. These 

The agent 110 detaches and forwards any e-mail message ^ and Microsoft ^ arc published, and a skilled 

attachments to the anti-virus software application 120. programmer will understand how they can be configured to 

FIG. 3 shows a flow diagram corresponding to the opera- interact with the agent 110. The agent 110 is thus a set of 

tion of the agent 110 of the present invention in conjunction 35 APIs that can be used by an anti- virus application 120 to 

with the anti-virus software application 120. Although the communicate with a mail server program 130. 

agent 110 of the present invention is generic to both data- _ . e „ . . tnMr > A „ . t ... 

, to , -i * c *i_ r c i- iu In the following pseudo-code, MDA is a term that 

bases and e-mail systems, for the sake of simplicity, the i , . <_ . « T n™ • i 

r * I ii j' «, i +u • f means mail database agent. UID is a unique or universal 

following discussion shall discuss only the scanning of . , , 4 . , * ™ • t 

° .1 • 1 4U * i ♦ identifier used to identify an e-mail message. This example 

e -mail messages. Further, it is assumed that a complete scan 4D « » a vt • • iL ^r- j JZt* * ^ 

of all e-mail messages (i.e., all attached files for all databases ™£™ s l ^ hAN ls the Wmdows network °P er - 

and mail boxes) is to take place. In step 200, the agent 110 & X s • 

determines whether an attachment is present in an e-mail MDAConnectAgent( ): Establishes a connection to the 

message. If an attachment does not exist, then the Agent 110 Messaging Agent. Called before any MDA API calls that 

determines in step 240 whether the entire mail system 140 45 require an <agent 13 id> as an input parameter, 

has been scanned. If the entire mail system 140 has been Input 

scanned, then the agent 110 ceases operation. If, however, Windows NT server name. 

the entire mail system 140 has not been scanned, then the N ame of Messa in Aeent 

agent 110 proceeds to the next e-mail message (step 235). If s S^s 

an attachment is present in an e-mail message, the agent 110 50 Windows NT login name of user. 

detaches the attachment (step 205), and it sends the attach- The name of the profile used for login (for Exchange 

ment to the anti-virus application 120 (step 210). If the Server only). 

anti-virus application 120 does not detect the presence of a The password used to login with the above user__id and 

virus in the attachment (step 215), then the agent 110 userProfile. 

reattaches the attachment to the original e-mail message 55 Output 

(step 220). <agent_id> which is the returned connectionID that can 

If, however, the anti-virus application 120 detects the ^ e ^ v j ater 

presence of a virus in the attachment, then an alert is M . , . . t 

j / ncvou 1- u a 1 • calls to trace the current connection instance, 

generated (step 245). Such an alert may be configured m . mm . . A a\ ^ 

& . v i, i i( _t^ ■ 1 MDADisconnectAgentt ): Disconnect the current connec- 

several ways. For example, the alert may comprise a system- 60 . . • * . ^ n j & lwtna 

■j . ♦ , • ' j • np in tion to the Messagmg Agent Called after each MDA session 

wide text message that is transmitted to every PC 10 or ^ resource 

workstation 30 in LAN 100 or to the network administrator, 

or the alert may instead comprise a message that is delivered Input 

to the network node that originated or received the infected <agent_id> 

attachment. After such an alert is generated, the anti- virus 65 MDAGetAgentInfo( ): Get the Messaging system vendor 

application 120 may (if so configured) delete the infected information from the Agent May be called anytime between 

attachment (step 250). If so, the attachment is deleted (step a MDAConnectAgent( ) and a MDADisconnectAgent( ). 
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Input MDAScanAllFindFirst( ): Scan the whole message sys- 

<agent_id> tcm and return a list of all attachment files stored in the 

size of buffer pointed to by <vendor> svstem received after the time stamp specified by <start_ 

Output time>. If <start__time> is zero, all will be scanned. Will first 

j ...... f 4 . i . ( , w . 5 scan the Public Information Store and then the Private 

<vendor>, which is information about the Messaging , f ,. c#rtMf , adi „.„ „„, « .i * 

hA1 ,, ^ & Information Stores. This API will cause a first Information 

x/n a n n vf ✓ 7 7Z \u t , m , j * u Store to be opened and a dbhandle is to be returned in the 

MDAOpenDatabasef ): Open the Lotus Notes database or A c T td u~ „ n 1^ a A u ♦ 

- . , f c o ii j * ♦ * * i j AFILE. May be called anytime between a 

Exchange Information Store. Called first to get a valid » #riA o t * ./ \ ^ R*r»Aiv *a ./ \ l * 

dbhandle. All other MDA API calk that require dbhandle M ^AC°nn ^"11^1 l iST^V 

4l _ , „ , »m^ac- Am-- jr- \ 10 not within any other active scan sequence. This API call is 

can then be called. MDAScanAllFindFirstf ) or . . J ... #u . JU u ji a 

xm .„ - , , „. x .„ . ... v / , not made while there is an active dbhandle. A 

MDAScanDa.abaseFindFirst( ) will implicitly open infor- MDAaoseFind Handle( ) must be called to terminate a scan 

mation store. v / 

T 4 session. 
Input 

Input 

<agent_id> 15 

<dbname> which is the input Lotus Notes database name <agen _i > 

to be opened; for Microsoft Exchange set to null. <start_time> which is the scan starting time. 

<istoreUID> which is the UID of the Exchange Informa- Output 

tion Store to be opened; for Lotus Notes set to null. <handle> which is a search handle returned to the caller 

Output 20 of the current scan, for the purpose of tracing all the 

<dbhandle> 50311 sequence. 

MDACloseDatabase( ): Close an opened Lotus Notes <afile> which is the first attachment information found in 

Database or Exchange Information Store. Called to release the system. 

the allocated resource. MDAScanAllFindNext( ): Get the next attachment infor- 

Input 25 mation structure of the current scan. Call made within a 

<agent id> MDAScan session. This API call may cause an Information 

<dbhandle> ^ torc to ^ c c ^ oscc * anc * anotner Information Store to be 

MDAEnumObjects( ): Enumerate the subobjects within a °P ene d* 

container. For Exchange and Lotus Notes, there are three 30 In P ut 

layers of objects, namely Agent, Mailbox/Public IStore, and <agent_id> 

Messages. When <input_object_type> is MDA_ <handle> 

OBJECT _ AGENT, returns a list of Mailboxes and Public Output 

Istores. When <input_object_type> is MDA_OBJECT_ * t . r . o 

MAILBOX or Istore, returns a list of messages within it. 35 <afilc> which 1S thc ncxt attachment information found in 

May be called anytime between a MDAConnect Agent( ) and the svstem * 

a MDADisconnectAgent( ). MDACloseFindHandle( ): close the current search 

I t handle — will terminate the current scan. Called with an 

.« active handle. Can be called after a MDAScanAllFindFirst( 

<agent_ia> ), MDAScanAllFindNext( ), MDAScanDatabaseFindFirstf ) 

<input_object__type>-the type of the mput_object to 40 Qr MDAS canDatabaseFindNext( ). 

enumerate. Possible values are MDA_OBJECT__ , 

AGENT, MDA_OBJECT_MAILBOX and MDA_ lnpUl 

OBJECT_INFORAMTIONSTORE. <agent_id> 

The display name of the input_object. <handle> 

The UID of the input object, for Exchange only. 45 MDAScanDatabaseFindFirst( ): scan a specific Informa- 

The size of the buffer ^ OD Store anc * return a list of all the attachment files stored 

q u1 t * there. May be called anytime between a 

Hie type of the returned object. MDAConnectAgenl( ) and a MDADisconnectAgen* ), but 

* y J not withm any other active scan sequence. 

A buffer containing a list of the display name of the 50 T nmit 

sub_objects, terminated by a double NULL. 

The number of bytes returned in the above buffer. <agent_id> 

A buffer comprising a list of the UID of the sub-objects. <P &th> which is the P ath Dame of ^ Notes 

The number of bytes returned in the above buffer. d f base 10 b ^ ^canned-used only for U)tus Notes, 

MDAGetAllMsgUids( ): Get a list of message UIDs for 5S otherwise set to NULL 

all the messages in the openedMailbox or Information Store. <istoreUID> which is the UID of the Information Store to 

Input De scanned — used only for Exchange, otherwise set to 

<agenUd> WLL - 

<dbhandle> 6Q <*«LJimc> 

The size of the UID buffer. 0ut P ut 

Output <handle> 

A buffer comprising a list of message UIDs of the <afile> which is the first attachment found in the store, 

messages within the Mailbox or Information Store. MDAScanDatabaseFindNext( ): Get the next attachment 

The number of bytes returned in the above buffer. 65 information structure of the current scan. This API call made 

MDAGetObjectProperty( ): get the desired properly of the within a MDAScan session. May be called anytime between 

specified object a MDAConnectAgent( ) and a MDADisconnectAgent( ). 
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Input 

<agent_id> 

<handle> 
Output 

<afile> which is the next attachment found in the system. 

MDADeleteFile( ): Delete the temporary file created for 
detach the attachment and clear the attachment. If filePath is 
not NULL, delete the file specified by it. If afile or attachlnfo 
is not NULL then go to the message and remove the 
attachment from it. May be called anytime between a 
MDAConnectAgent( ) and a MDADisconnectAgent( ). 
Input 

<agent_jd> 

<afile> which comprises the attachment information; the 
dbhandle of current information store is also comprised 
in it. 

<fllePath> which is the path of the temporary file. 

MDAExtractFileQ: Extract the content of the attachment 
to a temporary file. May be called anytime between a 
MDAConnectAgent( ) and a MDADisconnectAgent( ). 
Input 

<agent_id> 

<afile> 
Output 

<filePath> 

MDAAttachFile( ): Attach a file to an existing attachment. 
May be called anytime between a MDAConnectAgent() and 
a MDADisconnectAgent( ). 
Input 

<agent__id> 

<afile> 

<filePath> 

MDAGetMailInfoFromAFile( ): Attach a file to the 
attachment. May be called anytime between a 
MDAConnectAgent( ) and a MDADisconnectAgent( ). 
Input 

<agent_id> 

<afile> 
Output 

<mail> which is information about the message contain- 
ing the attachment. A bunch of pointers point to the 
buffer where the actual data resides. 

<buffer> comprising output information. 

The size of the buffer above. 

MDAGetAttFileCountFromMessage( ): Get a list of 
attachment files of a certain message specified by the 
messagelD. May be called anytime between a 
MDAConnectAgent( ) and a MDADisconnectAgent( ). 
Input 

<agent_id> 

<dbhandle> 

<messageUID> which is the UID of the message. 
Output 

A list of attachment file names in that message. 
The size of the above. 

MDASendMail( ): Send mail to a specific user. May be 
called anytime between a MDAConnectAgent( ) and a 
MDADiscormectAgent( ). 
Input 

<agent_id> 

<dbhandle> 
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Message UID 

The mailbox name to open. 
The receiver of the message. 
The sender of the message. 
The message subject. 
The message body. 

MDAGetError( ): Get error information from the agent. 
May be called anytime between a MD AConnectAgent( ) and 
10 a MDADisconnectAgent( ). 

MDAGetMsgTime( ): Get the delivery time stamp of a 
specific message. May be called anytime between a 
MDAConnectAgent( ) and a MDADisconnectAgent( ). 
Input 
15 <agent_id> 
<dbhandle> 

<msgUID> used by Exchange to locate the message 
within the mailbox. 
Output 
20 The timestamp. 

MDAGetOwnerName( ): Get the owner name of a certain 
attachment file. May be called anytime between a 
MDAConnectAgent( ) and a MDADisconnectAgent( ). 
Input 

<agent id> 

<afile> 
Output 

The name of the owner. 
30 MDAEstimateAttFiles( ): Estimate the size and number of 
attachment files with time stamp later than <start__time> in 
server. May be called anytime between a 
MDAConnectAgent( ) and a MDADisconnectAgent( ). 
Input 
35 <agent id> 

<start_time> 
Output 

The total number of attachment files. 
The sum of the size of all attachment files. 
40 MDASetDetachedDir( ): Set a temporary directory to be 
the detached directory. May be called anytime between a 
MDAConnectAgent( ) and a MDADisconnectAgent( ). 
Input 
45 <agent__id> 

The detach directory path to be created. 
MDAFreeResource( ): Free the resources allocated for a 
specific UID. Currently supported for Exchange only. 
Input 
so <agent_id> 
Return 

flags for success and system error. 
Scanning of e-mail attachments can take place either on a 
scheduled basis or a real-time basis. When scanning for 

55 viruses is on a scheduled basis, a user, utilizing the anti-virus 
application 120, specifies the time interval at which scan- 
ning should take place, e.g., every 10 minutes, every hour, 
etc. E-mail received at the mail server program 130 within 
the previous time interval is scanned. If no new mail is 

60 received, no scanning takes place. Thus, when scanning 
takes place is under the control of the anti-virus application 
120. 

Real-time scanning will scan an e-mail message each time 
it is "received" by a user, regardless of whether or not the 
65 user is connected to the mail server program 130 and 
regardless of whether the user reads or accesses the e-mail 
message. If no mail is received, no scanning takes place. 



06/15/2004, EAST Version: 1.4.1 



5,832,208 

13 14 

Thus, no user log-on to a PC 10 or workstation 30 is <excludeFlag> 

necessary to trigger the operation of the agent 110 of the Allfiles jail excludej list only, 

present invention. <extCount> 

In the representative embodiment of the present ^nt of the extension in extString 

invention, the real-time scanning capability is implemented s 

and described below for Microsoft's Exchange Server pro- <extotnng> 

gram. It provides the real-time scanning capability for A list of extension stnng. 

Exchange Server. That is, once an e-mail message is for- RTSetCallbackFunction( ): Set the address of the inocu- 

warded to a mailbox, the agent 110 is immediately invoked. ^ ^ n back Action. 

The agent 110 will then detach the attached files if any, and 10 I°P ut 

send these files to anti-vims application 120 for scanning. If <agentID> 

a vims is detected, the anti-virus application 120 can cure ConnectionID of the current connection, 

the virus and call the agent 110 to reattach the affected files. <cbFunction> 

The real-time APIs (described below) include a "call- t, * 1U _ , - 

back" capability. The anti-virus application 120 provides a ™ e ad *5 58 ° £ *° func ' lon " , . 

call-backfunction to the agent 110. When the agent 110 finds 15 RTStartupNoUficatior* ): Startup the real-time notifica- 

something that is of interest to the anti- virus application 120 n ' 

(in this case, an e-mail message with an attachment) the Input 

agent 110 notifies the anti- virus application 120: in the <agentID> 

representative embodiment, the agent detaches the attach- ConnectionID of the current connection. 

ment and provides the file name of the attachment to the 20 RTShutdownNotification( ): Shutdown the real-time noti- 

anti- virus application 120 to enabling scanning of the attach- fication. 

ment. Input 

The following pseudo-code describes the APIs for the 

real-time operation of the present invention in relation to <agentID> 

Microsoft's Exchange program: 25 ConnectionID of the current connection. 

Functions RTGetError( ): Get error information from the agent 

RTConnectAgent( ); In put 

RTDisconnectAgent( ); <agent_id> 

RTGetError( ); ConnectionID of the current connected Agent. 

RTSetDetachedDir( ); 30 <errcode> 

RTSetCallbackFunction( ); ™ e error retum code from ^ 

RTStartupNotification( ); ° UtpUt 

RTShutdownNotification( ); <e ?T b i ff> 

RTSetExcludeFileExtension( ); 35 contanu,l « informatlon - 

RTConnectAgent( ) Establish a connection to the Real- „™ e Jc~ 31Z f > J1 ^ , x 

time Messaging Agent. Called before any MDA API calls RTSetDetachedDir( ): Set a temporary directory to be the 

that require an <agent_id> as an input parameter. detached directory. 

Input Input 

<server_name> <agent_id> 

Windows NT server name. ConnectionID of the current connected Agent. 

<agent„name> <detached_dir> 

Name of the Messaging Agent. ^ detacfa directory path to be created 

<user_id> 45 Of course, the above real-time scanning capability can be 

The Windows NT login name of the user. implemented for mail servers other than the Microsoft 

<userProfile> Exchange server. For example, for the Lotus Notes database, 

The name of the profile used for login. where every database is a file, that file must be opened 

<d word> whenever a new message is placed in the file. Thus, taking 

The pass word used to login with the above user id and 50 advanta .f ° f system level hoote, the agent 110 

userProfile ~~ can notl ^ "* e aatl_virus application 120 when a new e-mail 



Output 



message is received. 

It will be appreciated that the present invention is the first 



<agent__id> server-based anti-vims agent built using Windows NT 

The returned ConnectionID can be used by later API 55 WIN32 APIs, Lotus Notes APIs, Microsoft Exchange APIs 

calls to trace the current connection instance. and MAPI. The client side is transparent to the existence of 

RTDisconnectAgent( ): Disconnect the current connec- such anti-virus entities, 

tion to the Messaging Agent. Called after each MDA session Further, the agent 110 of the present invention is a generic 

to free the resource. agent which can interface with any anti -vims server pro- 

Input grams. 

<a t j d> 60 The agent 110 of the representative embodiment of the 

ComTectionlD of the current connection. P rese ? 1 iDvention f an * "^mented utilizing a logic 

RTSetExcludeFileExtension( ): Set the address of the " ° f * C ° m ? Uler mem °7 < c *' " mem0ry .device at 

inocuT an call hack function scrvcr ^ comprising computer-readable instructions, such 

mocuLan call back function. as a program , functionality of the logic circuit 

65 or computer memory is described above. The computer 

<agentID> program may be stored, for example, on a hard disk, 

ConnectionID of the current connection. CD-ROM or floppy disk. 
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What is claimed is: 

1. For use in a computer network having a client-server 
architecture and a message system, a server-based method 
for detecting and removing computer viruses located in 
attachments to e-mail messages comprising the steps of: 5 

providing a scan time period; 

at the server, searching the message system to obtain a list 
of attachments to e-mail messages received at the 
message system within the previous scan time period; 

at the server, passing each attachment in the list of io 
attachments to an anti-virus detection module for com- 
puter virus scanning; 

at the anti-virus detection module, detecting and remov- 
ing computer viruses in each attachment in the list of 
attachments; and 15 

at the server, re -attaching each attachment to the e-mail 
messages. 

2. The method of claim 1 further comprising the step of 
repeating the method each scan time period. 

3. The method of claim 1 wherein the e-mail messages 20 
comprises e-mail messages received from users at worksta- 
tions on the client-server network on which the message 
system is located. 

4. The method of claim 3 wherein the e-mail messages 
comprise e-mail messages received from external message 25 
systems. 

5. The method of claim 1 wherein the e-mail messages 
comprise e-mail messages received over the Internet. 

6. For use in a client -server computer network having a 
mail server, a method for detecting and removing computer 30 
viruses located in attachments to e-mail messages compris- 
ing the steps of: 

A. setting a scan time period; 

B. at the server, searching the mail server to obtain a list 
of attachments to e-mail messages input to the mail 35 
server within the previous scan time period; 

C. at the server, detecting and removing computer viruses 
in each attachment in the list of attachments; and 

D. at the server, re- attaching each attachment to the e-mail ^ 
messages in the mail server. 

7. The method of claim 6 further comprising the step of 
repeating steps B. through D. each scan time period. 

8. The method of claim 6 wherein step C. further corn- 
prises the step of passing each attachment in the list of ^ 
attachments to an anti-virus detection module for computer 
virus scanning. 

9. For use in a client-server computer network having a 
mail server, a method for detecting and removing computer 
viruses located in attachments to e-mail messages compris- 
ing the steps of: 

A. obtaining a scan time period; 

B. searching the mail server to create a list of attachments 
to e-mail messages that were input to the mail server 
within the previous scan time period; 55 

C passing each attachment in the list of attachments to an 
anti-virus detection module for computer virus scan- 
ning and removal; 

D. re-attaching each attachment to the e-mail messages in 
the mail server after scanning and removal of computer 60 
viruses at the anti- virus detection module; and 

E. repeating steps B. through D. each scan time period. 

10. For use in a client-server computer network having a 
plurality of workstations and a server, the server including a 
message system, a server-based method for detecting and 65 
removing computer viruses located in attachments to e-mail 
messages, comprising the steps of: 
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receiving an e-mail message at the message system; 
upon receipt of the e-mail message, determining whether 

the e-mail message includes an attachment; 
if the e-mail message includes an attachment, passing the 
attachment to an anti-virus detection module for com- 
puter virus scanning; 
at the anti-virus detection module, detecting and remov- 
ing computer viruses in the attachment; and 
re-attaching each attachment to the e-mail messages. 
U. The method of claim 10 wherein the step of receiving 
an e-mail message comprises the step of receiving an e-mail 
message from an external computer network. 

12. The method of claim 10 wherein the step of receiving 
an e-mail message comprises the step of receiving an e-mail 
message from a workstation. 

13. In a first computer network having a plurality of 
nodes, the first computer network configured to operate an 
e-mail system for sending and receiving among the plurality 
of nodes a plurality of e-mail messages, a sub-set of the 
plurality of e-mail messages having at least one attachment 
associated therewith, a method for detecting and removing 
computer viruses from the attachments to the plurality of 
e-mail messages, the method comprising the steps of: 

detaching the at least one attachment from each of the 
sub-set of the plurality of e-mail messages; 

sending the at least one attachment to an anti-virus 
application; 

scanning the at least one attachment for the at least one 
computer virus in accordance with the anti-virus appli- 
cation; 

removing the at least one computer virus from the at least 

one attachment; and 
reattaching the at least one attachment to a corresponding 

one of the plurality of e-mail messages. 

14. The method according to claim 13, wherein at least 
one of the plurality of e-mail messages originates from a 
second computer network in communication with the first 
computer network. 

15. The method according to claim 13, wherein at least 
one of the plurality of e-mail messages originates from the 
first computer network. 

16. The method according to claim 13, wherein the 
attachments are scanned regardless of whether opened or 
viewed by a user. 

17. The method according to claim 13, wherein the 
attachments are scanned without user intervention. 

18. The method according to claim 17, wherein at least 
one of the plurality of e-mail messages originates from a 
second computer network in communication with the first 
computer network. 

19. In a first computer network having a plurality of 
nodes, the first computer network configured to operate an 
e-mail system for sending and receiving a plurality of e-mail 
messages among the plurality of nodes, a subset of the 
plurality of e-mail messages having at least one attachment 
associated therewith, a method for detecting and removing 
at least one computer virus from the at least one attachment, 
the method comprising the steps of: 

detaching the at least one attachment from each of the 

plurality of e-mail messages; 
determining whether the at least one attachment is 

infected with the at least one computer virus; 
removing the at least one computer virus from the at least 

one attachment; and 
reattaching the at least one attachment to a corresponding 

one of the plurality of e-mail messages. 
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20. A system for detecting computer viruses located in 
attachments to e-mail messages in a client-server computer 
network including a server computer and a plurality of client 
computers and a message system located at the server 
computer for controlling the distribution of e-mail messages, 
comprising: 

an anti-virus module located at the server computer for 

scanning files for viruses; and 
an agent located at the server computer, the agent pro- 
viding an interface between the anti-virus module and 
the message system, and including 
means for receiving a scan time period, 
means for searching the message system to obtain a list 
of attachments to e-mail messages received at the 
message system within the previous scan time 
period, 

means for passing each attachment in the list of attach- 
ments to the anti- virus module for computer virus 
scanning, and 

means for re-attaching each attachment to the e-mail 
messages. 

21. The system of claim 20 wherein the e-mail messages 
comprises e-mail messages received from client computers 
on the computer network. 

22. The system of claim 20 wherein the message system 
comprises an external gateway and the e-mail messages 
comprise e-mail messages received from external message 
systems. 

23. The system of claim 20 wherein the e-mail messages 
comprise e-mail messages received over an Internet con- 
nection. 

24. An anti-virus agent for use in a client-server computer 
network having a server computer including a mail server 
with e-mail messages and a plurality of client computers, the 
anti-virus agent assisting in the detection of computer 
viruses located in attachments to e-mail messages, compris- 
ing: 

means for setting a scan time period; 

means, located at the server computer, for searching the 
mail server to obtain a list of attachments to e-mail 
messages input to the mail server within the previous 
scan time period; 

means for passing each attachment in the list of attach- 
ments to an anti-virus detection module for computer 
virus scanning and removal; and 

means, located at the server computer, for re-attaching 
each attachment to the e-mail messages in the mail 
server. 

25. The system of claim 24 further comprising means for 
detecting and removing computer viruses in each attachment 
in the list of attachments. 

26. In a first computer network having a plurality of nodes 
and configured to operate an e-mail system for sending and 
receiving among the plurality of nodes a plurality of e-mail 
messages, a sub-set of the plurality of e-mail messages 
having at least one attachment associated therewith, a sys- 
tem for detecting and removing computer viruses from the 
attachments to the plurality of e-mail messages, the system 
comprising: 

means for detaching the at least one attachment from each 
of the sub-set of the plurality of e-mail messages; 

means for sending the at least one attachment to an 
anti-virus application; 

means for scanning the at least one attachment for the at 
least one computer virus in accordance with the anti- 
virus application; 
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means for removing the at least one computer virus from 

the at least one attachment; and 
means for reattaching the at least one attachment to a 

corresponding one of the plurality of e-mail messages. 

27. The system of claim 26, wherein at least one of the 
plurality of e-mail messages originates from a second com- 
puter network in communication with the first computer 
network. 

28. The system of claim 26, wherein at least one of the 
plurality of e-mail messages originates from within the first 
computer network. 

29. In a first computer network having a plurality of nodes 
and configured to operate an e-mail system for sending and 
receiving a plurality of e-mail messages among the plurality 
of nodes, a subset of the plurality of e-mail messages having 
at least one attachment associated therewith, a system for 
detecting and removing at least one computer virus from the 
at least one attachment, the system comprising: 

means for detaching the at least one attachment from each 

of the plurality of e-mail messages; 
means for determining whether the at least one attachment 

is infected with the at least one computer virus; 
means for removing the at least one computer virus from 

the at least one attachment; and 
means for reattaching the at least one attachment to a 

corresponding one of the plurality of e-mail messages. 

30. A real-time system for detecting computer viruses 
located in attachments to e-mail messages in a client-server 
computer network including a server computer and a plu- 
rality of client computers, a message system being located at 
the server computer for controlling the distribution of e-mail 
messages and including a plurality of mailboxes, the real- 
time system comprising: 

an anti-virus module located at the server computer for 
scanning files for viruses; and 

an agent located at the server computer, the agent pro- 
viding an interface between the anti-virus module and 
the message system and invoked whenever an e-mail 
message is forwarded to a mailbox, and including 
means for determining if an e-mail message includes an 
attachment, 

means for detaching the attachment from the e-mail 
message, 

means for enabling the anti-virus module to scan the 
attachment for computer viruses, and 

means for re-attaching each attachment to the e-mail 
messages. 

31. The real-time system of claim 30 wherein the means 
for detaching further comprises means for storing the attach- 
ment in a file. 

32. The real-time system of claim 31 wherein the means 
for enabling further comprises means for notifying the 
anti- virus module of the address of the file in which the 
attachment is stored. 

33. The real-time system of claim 30 wherein the e-mail 
messages comprises e-mail messages received from client 
computers on the computer network. 

34. The real-time system of claim 30 wherein the agent 
provides an interface between the message system and a 
plurality of different anti-virus modules. 

35. The real-time system of claim 30 wherein the agent 
provides an interface between the anti-virus module and a 
plurality of different message systems. 
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